The headlines are nearly ubiquitous at this point: this summer, the people of the United Kingdom voted to leave the European Union. The reasons cited for leaving are varied and complicated, with many commentators still debating what caused a niche political movement be adopted by 52% of the electorate. However, most agree that the following broad factors led to the vote to leave (aka “Brexit”):
- A belief that the EU wields too much power over U.K. legislation and a subsequent desire to restore sovereignty
- Dissatisfaction over the costs of EU membership and a feeling that the U.K. paid too much and received too little in return in comparison to other countries
- Concern over EU immigration policy and a desire to have full control over U.K. borders
- Anger over the U.K. government’s austerity regime, particularly in areas that have suffered a decline in manufacturing and industrial jobs
Technically speaking, the controversial referendum was not an official notice to the EU that the U.K. will leave the EU. As soon as the formal notice is given to the EU, a ticking clock begins which is set for a two year exit phase to organize the finer points of Brexit. U.K. Prime Minister Theresa May said she understands the need for certainty but has indicated that she does not intend to give the formal notice this year. At the earliest, Brexit could become official in 2019.
But what does this referendum mean for U.S. businesses with global operations? Specifically, what is the full impact of Brexit on data transfers in corporate litigation and investigations? How should U.S. in-house counsel and their law firms be preparing for future data protection and privacy changes as a result of Brexit? What will be the impact on global ediscovery practices?
Data Protection: New Horizons or Business As Usual?
The U.K. currently operates under the Data Protection Act 1998 (DPA), which was enacted to bring British law in line with the EU Data Protection Directive (DPD). Since Britain voted to leave the EU, it is likely that the DPA will remain unchanged at least during the Brexit transition period.
The future state of the law is partly dependent on whether or not Britain becomes part of the European Economic Area (EEA) or the European Free Trade Association. If the U.K. becomes part of the EEA and the EU finds the U.K.’s data protection safeguards to be appropriate, this would make transferring data outside of the U.K. easier. However, it is likely that businesses will still have to comply with the new requirements to be implemented under the forthcoming General Data Protection Regulation, when transferring data across borders to comply with legal obligations in other countries. If Britain does not become part of the EEA, the situation is more complicated, and it is likely that an arrangement similar to the EU-U.S. Privacy Shield would need to be agreed to. This would likely provide a safe passage for the transfer of data between the U.K. and other countries in Europe.
Ediscovery: Knowledge and Technology are Power
The crux of the situation is that the international data protection landscape is changing regardless of the outcome of the Brexit referendum and U.S. businesses with global operations need to be prepared for the differences. Until the U.K. finalizes its data protection regime and comes to an agreement with the EU, companies need to think carefully about the risks of transferring data across U.K. borders. But, business does not have to come to a standstill; law firms and companies can rely on Kroll Ontrack’s mobile ediscovery solution and network of European data centers to continue processing and transferring data in Europe in a compliant and cost-effective manner.
Kroll Ontrack is here to help you and your business thrive and adapt in a changing ediscovery world. Subscribe to our email newsletters, follow us on Twitter and connect with us on LinkedIn, and read up on ediscovery all around the world.